What Is An MCP Server? The Part The Spec Skips: Sharing Your Keyboard With The Model

An MCP server is a long-running process that speaks JSON-RPC 2.0 to an AI client (Claude Desktop, Cursor, VS Code, Cline) and advertises a list of typed tools the model is allowed to call. When the client invokes a tool, the server executes the action and returns a text or structured result. macos-use is an MCP server that exposes six such tools, registered in one array at Sources/MCPServer/main.swift:1408, which control macOS apps via the Accessibility APIs.

The spec defines three primitives (tools, resources, prompts), a JSON-RPC 2.0 wire format, a handful of lifecycle methods (initialize, listTools, callTool, listResources, readResource, listPrompts), and a transport (stdio or HTTP). That is the contract between client and server. It does not define what the server does to your OS while executing the tool. Everything below this line happens inside a block the spec is silent about.

Because a remote MCP server runs on someone else's box. A local MCP server runs on yours, and if its tool is 'click at (412, 598) and type hello' it is fighting you for the same cursor and the same keyboard the whole time. Without a guard, the user alt-tabbing mid-automation can land a keystroke inside the wrong field, or the model can loop and never release focus. macos-use solves this by installing a kernel-level CGEventTap at InputGuard.swift:113 which swallows all hardware keyboard and mouse events for the duration of the tool call, and a 30-second watchdog at InputGuard.swift:24 which force-releases the tap so the machine is never unrecoverably locked.

The CGEventTap callback at InputGuard.swift:311-355 reads every hardware keyboard event. When it sees a keyDown, it pulls the keycode with event.getIntegerValueField(.keyboardEventKeycode). Line 345 checks `keyCode == 53 && flags.intersection(modifierMask).isEmpty`, which is plain Escape with no Cmd, Ctrl, Option, or Shift. On match, line 347 writes `/tmp/macos-use/esc_pressed.txt` as a ground-truth marker (useful for post-hoc debugging), calls handleEscPressed, and returns `nil` to suppress the Esc event so it never reaches the frontmost app. Between automation steps, throwIfCancelled at InputGuard.swift:53 reads that cancelled flag and throws InputGuardCancelled, which aborts the composed click→type→press chain.

It is long enough to cover a normal tool call (click, scroll, multi-step open), but short enough that if the server hangs or the tap gets stuck, the user is not locked out of their machine for more than half a minute. Line 24 of InputGuard.swift declares `var watchdogTimeout: TimeInterval = 30` and startWatchdog at line 172 arms a DispatchSource.makeTimerSource on the global queue that fires after exactly that interval, logs `watchdog fired after 30.0s — auto-disengaging`, and calls disengage(). If your tool genuinely needs longer, bump the constant in your fork; there is no runtime flag.

Eleven types, enumerated at InputGuard.swift:115-126. keyDown, keyUp, leftMouseDown, leftMouseUp, rightMouseDown, rightMouseUp, mouseMoved, leftMouseDragged, rightMouseDragged, scrollWheel, and flagsChanged (modifier key state). That is every hardware input path the user has. Returning `nil` from the callback at line 354 swallows the event. Programmatic events the server itself posts via CGEvent.post use .hidSystemState (non-zero sourceStateID), so the check at line 329-332 lets those through: the server can still click and type while the user is blocked.

An MCP server is just a tool provider. It does not decide what to do; the client's LLM does. The server advertises `{tool: 'click_and_traverse', params: {pid, x, y}}`, the model reasons about when to invoke it, the client sends the JSON-RPC call over stdio, the server performs the click, the server returns a summary. The agent is the loop that wraps the model and the client; the MCP server is a passive endpoint. macos-use, specifically, implements only the server side: it has no prompts, no memory, and no model. It is 1917 lines of Swift at Sources/MCPServer/main.swift plus 355 lines of input-guard code at InputGuard.swift.

Stdio. Line 1874 of main.swift wires a StdioTransport() into the MCP SDK's Server instance. That means the server reads newline-delimited JSON-RPC from stdin and writes responses to stdout, and the AI client (e.g. Claude Desktop) launches the binary as a child process. There is no HTTP listener, no port, no socket. That choice matters for the safety story: because the server is a child of the client, killing the client kills the server, which releases any CGEventTap it had installed. The OS cleans up on process exit even if InputGuard.disengage() never runs.

No. The engage() path at InputGuard.swift:69-95 is synchronous on the main thread: it creates the event tap and shows the overlay before returning. If the tap fails (Accessibility permission not granted, for example), line 140 logs an error, flips _engaged back to false, and the call is a no-op. If the overlay fails, the tap would already be down so hardware is blocked but the user has no visual indication. In practice, both succeed or both fail together because both go through the same NSApplication.shared + main run loop, and the check for Accessibility permission happens once at server boot.

Most macOS-flavored MCP servers I checked do not ship any keyboard kill-switch at all. They assume a cooperative user. The ones that do ship a kill-switch usually rely on the AI client to implement the cancel UI, which means pressing Esc in the client window works, but pressing Esc while focus is inside the app being automated does not. macos-use installs the CGEventTap at .cghidEventTap placement (InputGuard.swift:133), which sits ahead of every app's event dispatcher including its own. Esc from inside any app on the machine cancels automation. That is the structural thing the protocol spec doesn't talk about.

A CallTool.Result that carries `content: [MCPContent]`. macos-use returns a single text content item containing a compact summary (status, pid, app name, file path to the on-disk traversal, grep hint, screenshot path, tool-specific one-liner). The model reads the summary, then uses its own filesystem tools to grep the traversal file on demand. The return value is always text; structured content is supported by the spec but this server does not use it. See buildCompactSummary at main.swift:731.

Yes, and they probably should for any local MCP server that touches hardware input. The pattern is platform-specific (CGEventTap on macOS, low-level keyboard hooks on Windows, evdev/libinput on Linux) but the shape generalizes: install a system-level input blocker before the tool executes, arm a short watchdog timer, reserve one plain keystroke as a universal cancel, and emit a visible overlay so the user knows who is driving. The 355 lines of InputGuard.swift are the reference implementation for macOS; the constants (30s watchdog, keycode 53, .cghidEventTap) are tuned values, not cargo-culted defaults.